Thursday, May 21, 2015

Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

Edited to add: I wrote a followup post to address comments here and elsewhere that advertising is working as intended. This paper has been reported incorrectly in several places as being about cookie blocking. Tracking protection blocks all traffic, not just cookies.

My paper with Georgios Kontaxis got best paper award at the Web 2.0 Security and Privacy workshop today! Georgios re-ran the performance evaluations on top news sites and the decrease in page load time with tracking protection enabled is even higher (44%!) than in our Air Mozilla talk last August, due to prevalence of embedded third party content on news sites. You can read the paper here.

This paper is the last artifact of my work at Mozilla, since I left employment there at the beginning of April. I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable "free" content are in direct conflict with security, privacy, stability, and performance concerns -- and that Firefox is first and foremost a user-agent, not an industry-agent.

Advertising does not make content free. It merely externalizes the costs in a way that incentivizes malicious or incompetent players to build things like Superfish, infect 1 in 20 machines with ad injection malware, and create sites that require unsafe plugins and take twice as many resources to load, quite expensive in terms of bandwidth, power, and stability.

It will take a major force to disrupt this ecosystem and motivate alternative revenue models. I hope that Mozilla can be that force.

I've also been monitoring via my firewall how much ad-related traffic comes from my iOS devices. *Every* app is connecting to ad and tracking servers, regardless of whether any ads are present in the app itself.

With the proliferation of web-based apps on both the dessktop and mobile, it may be time to start treating mitigation of this as an OS-level issue, not an app level one. Just fixing one browser and using that browser isn't going to block most of the tracking that occurs today.

Mozilla and FireFox is dead to me and for most GNU/Linux community. You guys have made the wrong choices over and over for the past year, and betrayed your promises of openness and protecting users freedom.

Advertising is the revenue model that publishers use to produce and publish their content.

It's easy to make blanket statements that it doesn't make content free when you aren't in the space but lots of large publishers and the entire long-tail of the web wouldn't exist without advertising.

Subscriptions are not the answer as people would rather have convenience of free content with ads than have to pay cash for content but disrupting that by just tampering with websites is just malice towards site operators.

Of course loading less things will improve performance, that's just simple math but messing with the revenue streams (without offering an alternative) of the greater web will only end badly for consumers.

Man, ads are great. They allow content to be targeted towards people that could potentially not afford the content and towards people that might not necessarily use the product normally. The world is already significantly divided by wealth. What if Google was behind a paywall. Assuming someone poor even has access to a service like Google, imagine if it was behind a paywall. Could they afford it? If not imagine how much of a life advantage someone wealthier has over those would can not afford it. Your idealistic 'superior' ad free world is as alienating and as segregated as Silicon Valley is...

lol, ads are not great. ads are the ruination of mankind, as is this corporate takeover of pratically everything in existence down to the building blocks of life itself. when the hedge funds are your landlord and you can vote for monsanto, im sure you will be happy. its quite upsetting tbh to see someone who has embraced this programming so. ads are great. wow. go watch bill hicks or something.

User-agents already make all sorts of decisions to mitigate risk on behalf of the user, such as refusing to display phishing pages or download malware. If someone wants to opt-out of tracking, why shouldn't the user-agent help them accomplish that?

It's cute that all these Anonymous users think that ads are ruining mankind. While they use the internet to complain. Like the internet just exists, free for everyone involved and network/server infrastructure, and content creation/ownership and distribution is free.

So cute.

I want to live in your utopia where stuff just exists and you get to use it for nothing

Please ignore the troll above. They are clearly shills for the IAB or associated groups. Also they are clearly someone who has never read the HTML spec regarding priority of the constituencies.

My actual reason for posting though was what you're saying is very interesting and you've put some great thought behind it. But I'm curious how you balance that with rather privacy invasive tech being built inside the walls of the Mozilla complex: